An LTS security update is needed for the following source packages. When you add a new entry, please keep the list alphabetically sorted. The specific CVE IDs do not need to be listed, they can be gathered in an up-to-date manner from https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- asterisk -- bind9 (Thorsten Alteholz) NOTE: 20190623: test package NOTE: 20190708: waiting for more reports -- bzip2 (Thorsten Alteholz) NOTE: 20190711: some kind of upstream regression happened -- cfengine3 (Mike Gabriel) NOTE: 20190628: likely not affected by CVE-2019-9929, but other not-yet-CVE'ed issues ahead -- exiv2 (Chris Lamb) -- faad2 NOTE: 20190519: I have a few patches pending for open issues. Will be PR-ed soon. NOTE: 20190525: see https://github.com/knik0/faad2/pull/36 NOTE: 20190610: still waiting for review, currently discussing with Fabian -- firefox-esr -- freeimage NOTE: Maintainer will take care of the update. NOTE: https://lists.debian.org/debian-lts/2019/05/msg00079.html -- glib2.0 (Mike Gabriel) NOTE: 20190626: https://lists.debian.org/debian-lts/2019/06/msg00031.html -- golang-go.crypto NOTE: 20190707: Check that an upload of this will not require reverse build-deps to also be recompiled (see previous golang uploads?). (lamby) -- hdf5 NOTE: 20190511: upstream was not aware of our undetermined issues. They have assigned NOTE: a Jira issue for this: https://jira.hdfgroup.org/browse/HDFFV-10755 (hle) NOTE: 20190610: ongoing work. Currently thinking of releasing a first DLA NOTE: fixing the first few issues with patch available, but this would logically NOTE: imply to first prepare a buster update. -- imagemagick (Mike Gabriel) -- libav NOTE: 20190529: There are currently 19 CVE issues known for libav in jessie, NOTE: 20190529: 11 tagged as . These issues have been triaged, no patch NOTE: 20190529: has been found, so far. If you pick libav, be prepared to work NOTE: 20190529: out patches yourself. -- libmatio (Adrian Bunk) NOTE: fairly high number of open issues. Not sure why we never had a look at them. NOTE: triage work needed, help security team for fixes if needed. NOTE: 20190428: most patches can be applied after context adaption NOTE: 20190428: all CVEs are from one fuzzing attempt NOTE: 20190428: some CVE testcases pass on the unpatched version, NOTE: 20190428: but since the fixes can be made applied the code NOTE: 20190428: is likely vulnerable NOTE: 20190428: some CVE testcases still fail after applying the fix, NOTE: 20190428: older changes seem to also be required for them NOTE: 20190707: work is ongoing -- libqb NOTE: 20190616: Upstream patch does not apply at all, but it appears that NOTE: 20190616: package is still vulnerable in ipc_posix_mq.c etc. or NOTE: 20190616: wherever it uses c->pid w/NAME_MAX. (lamby) NOTE: 20190619: See https://lists.debian.org/debian-lts/2019/06/msg00015.html -- libsdl1.2 NOTE: see libsdl2 entry. -- libsdl2 NOTE: I have written patches, and they were merged by upstream a few days ago. NOTE: upload will happen tomorrow. -- libsdl2-image NOTE: see libsdl2 entry. -- libxslt (Markus Koschany NOTE: 20190701: the Security Team doesn't want us to mark when jessie was explicitely tested as unfixed, so writing it here (beuc) NOTE: 20190701: CVE-2019-13117: patch applies on jessie NOTE: 20190701: CVE-2019-13118: patch applies on jessie -- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- nss (Roberto C. Sánchez) -- otrs2 (Abhijith PA) -- php5 -- pound NOTE: 20190715: https://salsa.debian.org/debian/pound/blob/jessie/debian/patches/0009-CVE-2016-1071.patch -- python2.7 -- qemu NOTE: 20190528: An upload candidate is waiting for being tested on real hardware. NOTE: 20190528: Still need to set up a notebook with jessie installed for testing. NOTE: 20190528: Will also mail a request for testing to the mailing list later NOTE: 20190528: today. NOTE: 20190529: Upload candidate: http://packages.sunweavers.net/debian/pool/main/q/qemu/qemu_2.1+dfsg-12+deb8u12.dsc NOTE: 20190529: More testing needed. -- ruby-mini-magick -- ruby-openid NOTE: 20190628: In discussion with upstream/rubygems maintainer regarding what the issue actually *is*. (lamby) NOTE: 20190701: Pinged bug (lamby) NOTE: 20190705: Pinged bug (lamby) NOTE: 20190710: I'm at a loss to how to continue persuing this issue (see https://github.com/openid/ruby-openid/issues/122) so returning to the pool. (lamby) -- sdl-image1.2 NOTE: see libsdl2 entry. -- slurm-llnl -- sox -- sqlite3 NOTE: CVE-2019-8457: Should be ignored, based on the discussion on debian-lts: NOTE: CVE-2019-8457: https://lists.debian.org/debian-lts/2019/06/msg00013.html (mejo, 2019-06-13) NOTE: CVE-2019-5827: No public information about the actual vulnerability available yet. The NOTE: CVE-2019-5827: patches from sqlite3 3.27.2-3 suggest that it's related to switching to NOTE: CVE-2019-5827: 64-bit memory allocators. There's been quite some changes related to this NOTE: CVE-2019-5827: migration between the Jessie version and 3.27.2-3 (from unstable). We might NOTE: CVE-2019-5827: have to look into them as well. (mejo, 2019-06-17) NOTE: 20190617: A preliminary package with *just* the (presumably) CVE-2019-5827 patches backported: NOTE: 20190617: https://people.debian.org/~mejo/debian/jessie-security/sqlite3_3.8.7.1-1+deb8u5.dsc -- squid3 -- squirrelmail NOTE: 20190702: no patch available, upstream apparently inactive, NOTE: 20190702: reporter just recommends disabling HTML viewing of messages NOTE: 20190702: we've got squirrelmail and squirrelmail-viewashtml users NOTE: 20190702: so either write a patch or force disabling HTML? -- thunderbird -- tomcat8 (Abhijith PA) NOTE: 20190522: FTBFS NOTE: 20190701: New CVE just piled up. -- vim NOTE: 20190618: maintainer is preparing the updates (Emilio) -- wavpack -- wordpress NOTE: 20190614: No upstream fix yet. (apo) -- wpa (Thorsten Alteholz) NOTE: 20190623: test package NOTE: 20190708: waiting for more reports -- xen NOTE: 20190629: Contacted credativ support and asked for a status update --